commit 3cba84e2638a47df8aacefb56ccc728b165e7a23
author Daniel Cashman <dcashman@google.com> Tue Jun 23 17:44:27 2015 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jun 23 17:44:27 2015 +0000
tree 3eb899385a2b03885c8ac49723100d54e9b686fd
parent e956b31526866014f3cba6bf8f93982ecce487c7
parent b335e3847fb6cdeb6293c6b7395b1e7588971789

Merge "Run idmap in its own domain."

file_contexts

diff --git a/file_contexts b/file_contexts
index 5ca2852..2255436 100644
--- a/file_contexts
+++ b/file_contexts
@@ -178,6 +178,7 @@
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/idmap u:object_r:idmap_exec:s0
 
 #############################
 # Vendor files

idmap.te

diff --git a/idmap.te b/idmap.te
new file mode 100644
index 0000000..1ab497e
--- /dev/null
+++ b/idmap.te
@@ -0,0 +1,10 @@
+# idmap, when executed by installd
+type idmap, domain;
+type idmap_exec, exec_type, file_type;
+
+# Use open file to /data/resource-cache file inherited from installd.
+allow idmap installd:fd use;
+allow idmap resourcecache_data_file:file { getattr read write };
+
+# Open and read from target and overlay apk files passed by argument.
+allow idmap apk_data_file:file r_file_perms;

installd.te

diff --git a/installd.te b/installd.te
index a47853f..54f276a 100644
--- a/installd.te
+++ b/installd.te
@@ -20,7 +20,6 @@
 allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
-allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
 allow installd mnt_expand_file:dir search;
 # Check validity of SELinux context before use.
@@ -71,6 +70,9 @@
 # Run dex2oat in its own sandbox.
 domain_auto_trans(installd, dex2oat_exec, dex2oat)
 
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
+
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };

zygote.te

diff --git a/zygote.te b/zygote.te
index 0dba9b6..2b869c0 100644
--- a/zygote.te
+++ b/zygote.te
@@ -31,8 +31,10 @@
 allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
-# Execute dexopt.
-allow zygote system_file:file x_file_perms;
+# Execute idmap and dex2oat within zygote's own domain.
+# TODO:  Should either of these be transitioned to the same domain
+# used by installd or stay in-domain for zygote?
+allow zygote idmap_exec:file rx_file_perms;
 allow zygote dex2oat_exec:file rx_file_perms;
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;